Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.
To enable SSL via proxy, in local.conf add
ENABLED_SERVICES+=,tls-proxy
This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.
To enable SSL natively, in local.conf add:
USE_SSL=True
Native SSL by default will also use the devstack-generate root and
subordinate CA.
You can override this on a per-service basis by setting
<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca
You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.
Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226
Each project was configuring the auth_token middleware using several
lines of inisets. Since all the projects should configure the
auth_token middleware in the same way create a function and call it.
Change-Id: I3b6727d5a3bdc0ca600d8faa23bc6db32bb32260
run_process will use screen if USE_SCREEN=True (the default),
otherwise it will simply start the requested service. Therefore
wherever screen_it used, run_process can be instead.
Where stop_screen was found it has been replaced with stop_process.
A tail_log function has been added which will tail a logfile in a
screen if USE_SCREEN is True.
lib/template has been updated to reflect the use of the new
functions.
When using sg the quoting in run_process gets very complicated.
To get around this run_process and the functions it calls accepts
an optional third argument. If set it is a group to be used with sg.
Change-Id: Ia3843818014f7c6c7526ef3aa9676bbddb8a85ca
Environments with large numbers of CPUs will create a large
number of workers which can have an unnecessarily large
impact on memory usage, particular where you know how many
workers are needed.
Change-Id: Ie4bb075310a61a0873c9e56e4974600dbb4794a1
Install glance_store from git so we can test Glance against master. This
is useful for both, glance and glance_store gates, to make sure nothing
is broken there.
Change-Id: I6c01165c4384c41f46f2c32d64475703b3178dab
This patch copies all files from /etc/metadefs to
/etc/glance/metadefs and calls glance-manage db_load_metadefs
after successful database migration. This covers whole
process of initializing the metadata catalog.
Change-Id: I2ffd19bf543708b42229ef78dd17ee317f58e6ad
Implements: blueprint glance-metadata-definitions-support
Co-Authored-By: Travis Tripp <travis.tripp@hp.com>
glance_store uses a new section to keep its configs. This patch
duplicates the existing, store related, config options and sets them
under the glance_store section.
Once glance is fully migrated, the old options will be removed.
Change-Id: Ie3de87cf07a321415d111e644ccbb360c7491151
This does the local var cleanup for the account creation in the following projects:
* Ceilometer
* Glance
* Sahara
* Trove
Change-Id: I67631578f79eeaaf2814db84f0f5c19d93aee4f3
As we integrated OSprofiler with Glance:
https://review.openstack.org/#/c/105635/
glance-registry service started using notification API so it requires
proper seted up AMQP.
Change-Id: I0c4bb8a10960ed3ee06b67a209703d7ee81cf1ca
auth_token middleware now accepts a standard URL string as the parameter
identity_uri instead of specifying protocol etc individually. Change the
services over to use this.
Also changes over some other places in which the auth fragments are used
individually to the new variables and fixes up some misconfigurations of
auth_token.
identity_uri option was release in keystoneclient 0.8.0
Change-Id: Iac13bc3d08c524a6a0f39cdfbc1009e2f5c45c2a
* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed
Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.
Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
Check that function calls look like ^function foo {$ in bash8, and fix
all existing failures of that check. Add a note to HACKING.rst
Change-Id: Ic19eecb39e0b20273d1bcd551a42fe400d54e938
This converts the special cases in the is_service_enabled() function to call
individual functions declared by the projects. This allows projects that
are not in the DevStack repo and called via the extras.d plugin to handle
an equivalent service alias.
* Ceilometer
* Cinder
* Glance
* Neutron
* Nova
* Swift
TODO: remove the tests from is_service_enabled() after a transition period
Patch Set 2: Rebased
Change-Id: Ic78be433f93a9dd5f46be548bdbd4c984e0da6e7
glance just used to admin role for token validation,
the service role is sufficient for this.
glance also needs an user with enough permission to use swift,
so creating a dedictated service user for swift usage when s-proxy is
enabled.
Change-Id: I6df3905e5db35ea3421468ca1ee6d8de3271f8d1
The list of services that Tempest used to set its 'service_available'
config values was hard-coded. To be plugin-friendly have each
service (project) add its name to the TEMPEST_SERVICES variable
and use that for setting the 'service_avilable' values.
Change-Id: I208efd7fd0798b18ac2e6353ee70b773e84a2683
Change Id9aab356b36b2150312324a0349d120bbbbd4e63 introduced a call to
iniset_multiline to enable swift stores explicitly. However, the call
has a missing file argument which resulted in this call setting the
values to the wrong file, section and param. This patch fixes that.
Change-Id: Ib17048e05c467bc8ca2c13fe4297d6bac6c8a880
* Save PID when using screen in screen_it()
* Add screen_stop()
* Call out service stop_*() in unstack.sh functions so screen_stop()
can do its thing
Closes-bug: 1183449
Change-Id: Iac84231cfda960c4197de5b6e8ba6eb19225169a
The version of the authentication url is set to v1.0 for some
projects by default. We can make it configurable via the parameter
"$IDENTITY_API_VERSION".
Closes-Bug: #1253539
Change-Id: I6640e345d1317b1308403c95b13f8a998320241b
Devstack currently relies on the default value of the `known_stores`
configuration option. This patch enables explicitly the default stores
used by devstack.
The real fix for the issue below will land in Glance. However, since the
default stores will be FS and HTTP we need devstack to enable Swift's as
well, which is required in the gates, hence this patch.
Partially-fixes: #1255556
Change-Id: Id9aab356b36b2150312324a0349d120bbbbd4e63
Allow providing certificates through environment variables to be used
for keystone, and provide the basis for doing this for other services.
It cannot be used in conjunction with tls-proxy as the service provides
it's own encrypted endpoint.
Impletmenting: blueprint devstack-https
Change-Id: I8cf4c9c8c8a6911ae56ebcd14600a9d24cca99a0
Address miscellaneous issues with Markdown formatting in comments which
are consumed by shocco when generating the online documentation.
Change-Id: I953075cdbddbf1f119c6c7e35f039e2e54b79078
When end users specify proxy settings in config file for wget /etc/wgetrc:
http_proxy = http://...
or for curl ${HOME}/.curlrc:
proxy = http://...
Using `http_proxy="" wget' can not skip the proxy setting in the
config files, also it can skip proxy settings in env viriables.
In order to skip proxy setting in both env and config file, we pass
--no-proxy option for wget, and --noproxy '*' for curl.
Fixes bug #1224836
Change-Id: I2b25aeca9edf2ce4525fb1db325e5e24c18b4d55
As per https://bugs.launchpad.net/glance/+bug/1213197, and subsequent
review at https://review.openstack.org/#/c/47161/ Glance-manage commands
are proposed to be subcommands of 'db'. This would require change to the
script to recreate_db which calls the db_sync command.
Implements blueprint edit-glance-manage-command-for-recreate-db
Change-Id: I9470709ec34896dba7a37fdff4791206bb5ef5ed
I find that enabling the debug log level often causes me to miss
important error messages due to the sheer volume of information
logged. This change allows configuration of the debug option
in a number of the projects so it can be disabled globally
without having to make one-off changes after each re-stack.
Note that this does not apply to Keystone or Swift right now.
They use a different method to configure their logging level and
I'm not as familiar with them so I didn't want to mess with their
settings.
Change-Id: I185d496543d245a644854c8a37f3359377cb978c
configure remains just to generate configs, install now
gets the setup_develop in addition to the git clone. This lets
use remove configure_glanceclient as a function
Change-Id: I68e3e3973d15dc0b4f534662a4f57a9f38f69784
for files that don't start with a #! or end in .sh, the added tags
are nice for emacs users to automatically switch to the right mode.
Change-Id: If4b93e106191bc744ccad8420cef20e751cdf902
clean.sh gets rid of all residue of running DevStack except installed
packages and pip modules.
And it eradicates rabbitmq-server and ts erlang dependencies as well as
the other RPC backends and databases.
Change-Id: I2b9a251a0a151c012bae85a5a2f9c2f72e7700be
Fixes bug 1137667
Previously the auth/sasl config for qpidd was broken, and the
openstack services using RPC were not properly configured.
Now we ensure that:
- the admin qpid_username/password are configured for all services
(as the qpidd ACL config denies all access to non-admin users)
- the PLAIN sasl mechanism is configured for qpidd (otherwise the
qpid_password is not propogated)
- the qpidd process has read permission on the sasl DB (otherwise
thw admin user/apss cannot be verified even if set)
Change-Id: Id6bd675841884451b78f257afe786f494a03c0f7